Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Telegram Calls Claims of Bug in Messaging Service Bogus

Researchers claim to have found a bug in the Telegram messaging service that can crash devices and run up wireless data charges.

A flaw in the popular Telegram Messenger app that allows attackers to crash devices and run up wireless data charges is being disputed by the app maker who calls the claims false.

According to two Iranian-based researchers, Sadegh Ahmadzadegan and Omid Ghaffarinia, Telegram users are vulnerable to attacks via specially crafted messages that can bypass size limits and crash devices that receive the messages. Additionally, researchers claim if Telegram users are using paid and metered cellular data plans, those malicious messages could also be costly to recipients’ because data plans are depleted and possible overage charges are incurred.

Telegram Messenger is a messaging service that combines features similar to WhatsApp and Snapchat used by an estimated 100 million users worldwide. The secure messaging service uses advanced cryptography affording users a secure platform to swap private messages, images and file attachments.

“Assuming that each ASCII character is one byte long, attacker can send multi-million-character long strings to victims (or just a null message to be funny!) and the victim would receive the message without taking a scratch!? It’s like downloading a large file without accepting to receive it.”

Regarding claims by the Iranian researchers, Telegram’s Markus Ra told Threatpost that the allegations were “click bait fear mongering” on the part of the researchers.

According to the indictment, Ahmadzadegan and Ghaffarinia are accused of working for the Iranian Revolutionary Guard Corps and carried out DDoS attacks against 46 U.S. financial institutions.

Both researchers fall short of pinpointing the precise vulnerability, they say, because the flaw still exists and has not been patched by Telegram. But they say, the specially crafted messages are large enough to crash a smartphone by over utilizing the device’s memory. The two researchers published a proof concept video that claims to demonstrate the vulnerability that shows how an attacker can send more than 256 MB of data in just a few minutes to a Telegram recipient.

More troubling, researchers claim, is the fact Telegram policy allows messages to be swapped between users outside of contact lists.

“The server doesn’t allow text messages larger than 35 KB (the same size as two standard Telegram messages or a small photo),” Ra wrote to Threatpost in an email interview. “The sent message may look arbitrarily long – but the received message always arrives truncated by the server.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.